This article is the first of a two-part series that will describe the
various methods of implementing Windows 2000 IP Security filters that are
integrated with IPSEC communications. This installment will offer an
overview of IP security policies, including defining, testing, and
expanding IP security policies.

Shortly after lunch break, an employee angrily strides out of his
supervisor’s office, down two rows of desks, and into a single cubicle. He
slumps down into his chair and releases an exasperated sigh, as he runs
his hands through his hair in disappointment.

3. Behavior Blocking: The Next Step in Anti-Virus Protection
by Carey Nachenberg

Before the arrival of the fast-spreading worm/blended threat, the staple
technology of anti-virus software – fingerprinting - arguably provided
both preventative and proactive protection against the average computer
virus. That is, in the past, vendors were able to ship new fingerprints
for most viruses before they could achieve widespread distribution. This
is because traditional viruses spread slowly - only when humans exchange
infected files - on the order of days or weeks. Consequently, in the
majority of cases, anti-virus software blocked initial infection,
preventing corporate machines from being compromised and precluding the
need for costly manual cleanup and downtime.

SSH Secure Shell 2 is a protocol which provides a secure connection
between computers. WinSSHD is a SSH Secure Shell 2 server for Microsoft
Windows systems, and is maintained by BitVise.

An issue has been reported in WinSSHD which could allow a user to cause a
denial of service condition on a SSH Secure Shell 2 server.

Reportedly, if a user establishes an unusual number of incomplete
connections, it is possible that the SSH Secure Shell server will not
properly free up sessions which have been unexpectedly terminated, thus,
leaking nonpaged kernel memory.

This issue exists in builds of WinSSHD prior to 2002-03-16 and has
currently been successfully exploited on a Windows 2000 Server.

Successful exploitation of this issue will deny legitimate users of the
service access to desired resources. A restart of the service is required
in order to regain normal functionality.

Incredimail is an email client for Microsoft Windows based systems. It
includes support for a wide range of rich, multimedia features such as
sound, animations and backgrounds in email.

A weakness has been discovered in some versions of Incredimail. When email
is received including a file attachment, the file is automatically stored
in a predictable location on the local system. An attacker may be able to
use this knowledge to launch further attacks against the vulnerable
system.

In particular, this vulnerability may allow the execution of arbitrary
code when used in conjunction with BID 3867, Microsoft Internet Explorer
Arbitrary Program Execution Vulnerability.

Eudora an email client for Microsoft Windows based systems. Eudora uses
Internet Explorer to assist in the viewing of html messages if the 'Use
Microsoft Viewer' option is enabled.

A weakness has been discovered in some versions of Eudora. When email is
received including a file attachment, the file is automatically stored in
a predictable location on the local system (typically the 'Attachment'
directory). An attacker may be able to use this knowledge to launch
further attacks against the vulnerable system.

In particular, this vulnerability may allow the execution of arbitrary
code when used in conjunction with BID 3867, Microsoft Internet Explorer
Arbitrary Program Execution Vulnerability.

BG Guestbook is a freely available web application written in PHP, which
is back-ended by a MySQL database. It can display content using either
HTML or Flash. It will run on most Unix and Linux variants as well as
Microsoft Windows operating systems.

BG Guestbook does not perform sufficient validation of user-supplied
input, especially with regards to HTML tags. As a result, BG Guestbook is
prone to cross-site scripting attacks.

An attacker may inject encoded variants of HTML tags/script code into
various fields. This may enable a remote attacker to cause arbitrary
script code to be executed in the browser of a legitimate web user, in the
context of the site running the vulnerable software.

This issue is present in both the HTML and Flash versions of the
vulnerable guestbook software.

Successful exploitation may enable an attacker to steal cookie-based
authentication credentials or cause malicious content to be displayed in
the browser of a web user who views the website running the vulnerable
software.

Hosting Controller is an application which centralizes all hosting tasks
to one interface. Hosting Controller gives every user the required control
they need to manage the appropriate web site relevant to them. Hosting
Controller runs on Microsoft Windows systems.

An issue has been discovered in Hosting Controller which could allow for
the unauthorized modification of directory contents.

The 'folderactions.asp' page enables a user to create or delete files and
directories on the server. The 'file_editor.asp' page allows a user to
modify the contents of web pages.

Due to a flaw in the validation of user privileges, a request composed of
'../' sequences along with either 'folderactions.asp' or
'file_editor.asp', will allow an unauthorized user to modify, delete or
create files and directories outside of the web root.

Microsoft's MSN Messenger is an instant messenging client for Windows
based machines, based on the Passport system.

A vulnerability has been reported in some versions of MSN Messenger.
Reportedly, it is possible to send messages through the server such that
they appear to have originated from an arbitrary user. An attacker may be
able to use this to initate a social engineering attack, or create a
denial of service situation.

It has been reported that client to client communications occur through a
central server, and are tracked by a Session ID. This Session ID is
granted by the server to any authenticated user, without the need for
further authentication. An attacker may forge the client side of the
communication, and misuse the Session ID to transmit messages with an
arbitrary sender.

It is possible that other versions of Messenger share this vulnerability.
This has not, however, been confirmed.

A problem has been discovered in the JavaScript interpreter in numerous
web browsers which may enable a malicious webpage to cause a denial of
service to the web client. Browsers that have been tested include
Microsoft Internet Explorer, Mozilla and Opera.

It is possible to create a loop in JavaScript which is capable of crashing
the web browser. This is due to a flaw in the JavaScript interpreter for
affected web browsers.

It has been reported that on some environments (such as IE with Windows
2000) the error message generated by exploitation of this issue indicates
that a stack overflow has occurred. It is not known whether this issue may
be exploited to execute arbitrary code.

vBulletin is commercial web forum software written in PHP and back-ended
by a MySQL database. It will run on most Linux and Unix variants, as well
as Microsoft operating systems.

vBulletin includes functionality to allow forum users to post images in
messages. To post an image, a user simply includes a link to the image
inside of [img] tags. However, vBulletin does not adequately filter
encoded script code in image tags. As a result, it is possible for an
attacker to post a maliciously constructed forum message which contains
arbitrary script code. When the message is viewed by legitimate users of
the website, the script code will be executed in their web browser, in the
context of the website running the vulnerable software.

This may enable an attacker to steal cookie-based authentication
credentials from a legitimate user of the website running the vulnerable
software.

It is not known whether vBulletin Lite is also affected by this
vulnerability.

Java virtual machine implementations contain a vulnerability that may
allow for malicious Java applets to escape the security sandbox.

The vulnerability is due to a data casting error. It is possible for an
applet constructed at the bytecode-level to perform an illegal casting
operation. By doing so, the security sandbox intended to limit the
operations that can be performed by an applet may be escaped. This can
result in the unrestricted execution of system-level code with the
privileges of the user running the virtual machine (possibly through a
browser).

It should be noted that this is a variant of a previously discovered
vulnerability BID 740.

CyberPatrol is filtering software that lets you control access to the
Internet (Web sites, newsgroups, and IRC chat) and to applications on your
computer. You set up filtering options as desired to control when, where,
how, and to whom access is blocked or allowed.

SuperScout Email Filter is comprehensive software that protects against
such dangers by giving you the information and tools to implement as well
as enforce an email Acceptable Use Policy that can help to: Increase
Security, Limit Legal Liability, and Improve Productivity

Adding new servers to expand processing capacity is a costly solution -
placing a burden on administrator resources and IT budgets. With the SSP
XBoard-1680 organizations increase the efficiency of a server, allowing up
to 1680 SSL authentications to be processed per second, at a fraction of
the cost of adding new servers. By adding a SSP XBoard-1680 to a server,
significantly less CPU capacity is utilized for processing SSL connections
- freeing the CPU to respond to more customer requests and interact with
other Web site resources, such as customer databases, directories and
content servers. This next generation SSP XBoard provides increased
performance, load-balancing to multiple servers across a network, and
clustering support allowing multiple Web servers to share a single
CipherServer. Administrators can direct network traffic to a single or
multiple boards, in multiple systems - optimizing server usage.
Installation and configuration of the SSP XBoard-1680 can be completed in
minutes, providing one of the fastest SSL transaction performance
available in a single unit.

Intended for individuals in need of high security working in groups. It is
a secure online system integrating multi-user based security into email,
instant messaging, file sharing and online file storage in one unique
package. Provides real time communication for text and data transfers in a
multi user secure environment.

mod_protection is an Apache module that integrates the basic function of
an IDS (Intrusion Detection System) and a firewall. When a malicious
client sends a request that matches a rule, the administrator will be
warned and the client gets an error message.

Bouncer is a network tool which allows you to bypass proxy restrictions
and obtain outside connections from an internal LAN. It uses SSL
tunneling, which allows you to obtain a constant streaming connection out
of a proxy. If you are restricted behind a proxy and can access secure
online ordering sites, then you can get out to whatever host on whatever
port you want. It also supports a lot of other features including socks 5,
basic authentication, access control lists, and Web-based administration,
and will run on Windows, Linux, and FreeBSD.

Lcrzoex is a toolbox for network administrators and network hackers.
Lcrzoex contains over 300 functionnalities using network library lcrzo.
Each one can be compiled alone and modified to match your needs.